*** This bug is a security vulnerability ***
Public security bug reported:
Using libxml2 2.7.8.dfsg-4ubuntu0.2 from (K)Ubuntu 11.10.
In an attempt to address oCERT 2011-003, libxml2 now seeds its hash
table with using rand(). This is broken and lame:
Firstly, srand() and rand() are not thread-safe, even though libxml2 is
supposed to be thread-safe (when adequately initialized by the program).
The fix is easy: replace srand() with a variable assignment, and replace
rand() with rand_r().
Secondly, using time(NULL) as a seed totally misses the point. It is
trivial for a potential attacker to guess the value of time(NULL).
That's the current UTC current time rounded to the second.
** Affects: libxml2
Importance: Undecided
Status: New
** Affects: libxml2 (Ubuntu)
Importance: Undecided
Status: New
** Affects: libxml2 (Debian)
Importance: Undecided
Status: New
** Visibility changed to: Public
** Also affects: libxml2 (Debian)
Importance: Undecided
Status: New
** Also affects: libxml2
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/983810
Title:
libxml2 security update fails to address problem and breaks thread-
safety
To manage notifications about this bug go to:
https://bugs.launchpad.net/libxml2/+bug/983810/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
